If we're talking about MED9/EDC16 series, simply search for writes to r13 and r2 to properly determine those:

So this is what I see:

(I have loaded in the .bin at 0x80000 as per the memory map specs from documentation).

I guess I still have a lot of learning to do. Those addresses don't even exist in the address space that I've created in IDA, and the docs say that 0x000000 to 0x07FFFF is used by UC3F Flash (on-chip flash), which I thought wasn't utilised at all in these ECUs

This is a 2009 BMW motorbike BMSKP. It has a 2mb external flash which is my .bin size. Unfortunately I do not know what is the equivalent EDC/ME(D) series. most of those seem to have much smaller flash.

Anyway, I just found the 800gb DAMOS that's floating around the internet, (I only had 10gb collection before), so hopefully I'll find something useful in there to help me on my way to understanding this.

Ultimately, I guess I want to do something like what you guys have done with ME7Logger and similar tools, where I can readMemorybyAddress, and I need to find out the memory locations for the values I am interested in. For now, I will use readDatabyLocalIdentifier, which gives me ~26 values all at once, but there is one value missing from the packet, so I have to do two different requests, which can halve the rate of information (update frequency).. I have almost everything I want in a known kwp2000 request (Analog Values), but it doesn't contain "Open loop / closed loop" status. That is in a different request/response (Digital Values). I'd like to put everything I want into a single request and have that update fast for my datalogger.

At the end of the day it's a long term project for me, and this disassembly business is the part I am most likely to fail at, but I am well on my way with kwp2000 debugging/capturing etc.

Med 9 has mpc562 CPU my bmskp has mpc564. They are almost the same but mine has 512kb on-chip flash there as well. (See https://drive.google.com/file/d/1QZPwFWwabeAubCKdapLA69EgEuF0IOkD/view?usp=drivesdk ). I'm a little confused though because my initial BDM backups with bdm100 don't include that (it's only 2mb) however OBD backup with kess is 2.5mb. maybe I should be analysing the 2.5mb file instead. I suppose it's possible bdm100 and 12 year old dim555 software was unaware of the extra 512kb, and just read it as an mpc562, but I restorered the 2mb bdm to another ECU and it was ok, so I had been thinking the 512kb was unused.

kess and ktag are new additions to the toolbox and I think I have been analysing my original dim555 / bdm100 backups..

I will take a BDM backup with ktag, see if that is 2.5mb, and load that up in Ida instead :-)
 

can you share the 2.5mb backup?